McAfee, think tank push online voting, but recognize security risks

The U.S. and other nations should look toward Internet voting to make it easier for disabled and elderly people to cast ballots, and to increase participation among young people, but online security remains a huge hurdle, according to a new paper for the Atlantic Council and McAfee.

Online voting has "the power to revolutionize the democratic process around the world," said the paper, released Wednesday by the think tank and Intel's security division. However, online security will "need to be vastly improved."

With the paper, the Atlantic Council and McAfee are pushing to "change the nature of the cybersecurity debate," said Tom Gann, McAfee's vice president of government relations. "Our goal is to move the public discussion from one that all too often focuses on gloom and doom, to one that focuses on the age of the possible."

The paper lists several potential solutions to the security problems, including broader use of encryption, biometric identification, and preconfigured bootable USB sticks or CDs containing voting software that could be sent to voters.

But as the U.S heads toward a national election in November, large-scale online voting systems in the country are a long way off, some security and e-voting experts said during a discussion of the paper at the think tank.

With the underlying and ongoing security problems of the Internet, secure online voting on a large scale may still be 30 to 40 years away, said Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology.

"You hear about all these breaches; every day there's a new news story," said Pamela Smith, president of Verified Voting, a group that has pushed for electronic voting audit trails. "You wonder sometimes where the idea of sending something as valuable as votes over the Internet, how did that get to be a good idea?"

In the U.S., local governments, many with tiny IT budgets, run elections, Smith said. Many local governments don't have the resources to fix problems or fight off attacks against online voting systems, she said.

Much of the focus on security for online elections has until now focused on securing the network, but vulnerabilities on voters' devices could also cause problems, said Representative Jim Langevin, a Rhode Island Democrat. "Relying on a voter's PC or smartphone to honestly represent her intentions is simply naive with malware as prevalent as it is," he said.

In addition, online voting compounds one of the stickier problems of earlier electronic voting machines, in that it can be difficult to verify and audit votes after they are cast, Hall noted. "If you don't have something to audit, if you don't have something to recount, that is independent of the software, you may be in a world of hurt," he said.

Other panelists disagreed about the maturity of online voting systems. A handful of countries including Brazil, Estonia and Switzerland have already rolled out online voting systems, noted Damon Wilson, the executive vice president of Atlantic Council.

Other countries are moving toward online voting in the near future, added Jordi Puiggali, chief security officer at elections technology vendor Scytl. It is possible now to run secure online elections using encryption and other security measures, he said.

"It's impossible to say in 20 years, 'now the Internet is secure,'" he said. "We will have new threats."

With a huge number of potential benefits, technologists and policymakers should focus on improving online voting security independent of the underlying network, said Kent Landfield, McAfee's director of standards and technology policy.

"We don't want wait 30 years to get the Internet as stable as it could be for electronic voting online," he said. "We need to start looking at how to design the voting system to ride on top of that kind of infrastructure, knowing the infrastructure itself is not as secure as we want."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.